Current Stable Version of Sudo
About Sudo
Getting Sudo
Documentation
Sudo Resources
Other
![[Powered by OpenBSD]](/images/openbsd_pb.gif){kind=small}
The current stable version of sudo is 1.7.1.
Major changes between version 1.7.0 and 1.7.1:
- Fixed a bug in the version of glob() supplied with
sudo that affected character classes and ranges.
- Fixed a NULL pointer dereference when the sudoers
file mode or owner was incorrect.
- Fixed a NULL pointer dereference when a PAM module
called the sudo conversation function during a phase other
than authentication.
- Fixed an LDAP compatibility problem with the AIX LDAP libraries.
- A new Defaults option "pwfeedback" will cause sudo to provide
visual feedback when the user is entering a password.
- A new Defaults option "fast_glob" will cause sudo to use the
fnmatch() function for file name globbing instead
of glob(). When this option is enabled, sudo will
not check the file system when expanding wildcards. This
is faster but a side effect is that relative paths with
wildcard will no longer work.
- New BSM audit support for systems that support it such as FreeBSD
and Mac OS X.
- The file name specified with the #include directive may now include
a %h escape which is expanded to the short form of hostname.
- The -k flag may now be specified along with a command, causing the
user's timestamp file to be ignored.
- New support for Tivoli-based LDAP START_TLS, present in AIX.
- New support for /etc/netsvc.conf on AIX.
- The unused alias checks in visudo now handle the case of an alias
referring to another alias.
- A new Defaults option "umask_override" will cause sudo to set the umask specified in sudoers even if it is more permissive than the invoking user's umask.
Major changes between version 1.6.9p19 and 1.7.0:
- Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
- Sudoers now supports a #include facility to allow the
inclusion of other sudoers-format files.
- Sudo's -l (list) flag has been enhanced:
- applicable Defaults options are now listed
- a command argument can be specified for testing whether a user may run a specific command.
- a new -U flag can be used in conjunction with sudo -l to allow root (or a user with sudo ALL) to list another user's privileges.
- A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
- A uid may now be used anywhere a username is valid.
- The secure_path run-time Defaults option has been restored.
- Password and group data is now cached for fast lookups.
- The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
- visudo will now warn about aliases that are defined but
not used.
- The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
- Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
- Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is files, even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. - Support for /etc/environment on AIX and Linux. If sudo is
run with the -i flag, the contents of /etc/environment are
used to populate the new environment that is passed to the command
being run.
- Sudo now ignores user .ldaprc files as well as system LDAP defaults.
All LDAP configuration is now in /etc/ldap.conf
(or whichever file was specified by configure's
--with-ldap-conf-file option).
If you are using TLS, you may now need to specify:
tls_checkpeer no
in sudo's ldap.conf unless ldap.conf references a valid certificate authority file(s). - If no terminal is available or if the new -A flag is specified,
sudo will use a helper program to read the password if one is
configured. Typically, this is a graphical password prompter
such as ssh-askpass.
- A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
- Resource limits are now set to the default value for the
user the command is being run as on AIX systems.
- A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run.
- A new -n flag is available which may be used to indicate
that sudo should not prompt the user for a password and,
instead, exit with an error if authentication is required.
- A new Defaults option, "sudoers_locale" that can be used to set the locale to be used when parsing the sudoers file.
- sudoedit now checks the EDITOR and VISUAL environment variables to make sure sudoedit is not re-invoking itself (or sudo). This allows one to set EDITOR to sudoedit without getting into an infinite loop for programs that need to invoke an editor such as crontab(1). Also added SUDO_EDITOR environment variable which is used by sudoedit in preference to EDITOR/VISUAL.
- The versions of glob(3) and fnmatch(3) bundled with sudo now support POSIX character classes.
- If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified.
- Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must now press ^C or ^D at the prompt.